04-26-2011 05:46 AM - edited 03-10-2019 06:01 PM
Hi
Is it possible to use different RADIUS groups for dot1x authentications?
I want to authenticate ports 1-24 against server A from customer A and ports 25-48 against server B from customer B.
I have already the following RADIUS group definitions and aaa dot1x lists.
aaa group server radius CUSTOMERA_RADIUS
server 1.1.1.1 auth-port 1645 acct-port 1646
!
aaa group server radius CUSTOMERB_RADIUS
server 2.2.2.2 auth-port 1812 acct-port 1813
!
aaa authentication dot1x CUSTOMERA group CUSTOMERB_RADIUS none
aaa authentication dot1x CUSTOMERB group CUSTOMERB_RADIUS none
But how can I direct the authentication of a specific port to a specific server group / aaa lists?
Kind regards
Roberto
04-27-2011 07:56 PM
Hello Roberto
Unfortunetely, we cannot separate the authentication request on the basis of switchports on switch. There is no such feature available on interface configuration.
thanks
Devashree
P.S. - please rate the helpful posts.
04-28-2011 03:33 AM
Interesting topic and timely post as I've just spent most of yesterday trying to achieve the exact same thing with no luck.
Three different networks on the same L3 switch using VRF-Lite for segregation.
Like Roberto I can configure 3 seperate AAA/RADIUS groups each within one of the VRF's.
What I wanted to then achieve was ports in Network A would authenticate against a RADIUS Server in Network A, if a user in Networks B or C accidentally connect they won't be able to authenticate.
Thus forcing the users to only use ports on their own network.
Within a Cisco Wireless world it is possible to set different RADIUS servers for different WLAN's as you can chose RADIUS Servers from a list in the wireless controller so seems strange not to allow the same feature in IOS and hard-wired networks/ports.
A RADIUS proxy doesn't really help as you want the different ports to go to different RADIUS servers not the same one or a combined/proxied set of credentials.
Any other thoughts/options?
05-27-2011 04:10 AM
Roberto,
Have found a solution to this for me anyhow.
Authenticate to a single RADIUS server but then proxy requests to other RADIUS servers based on pattern matching then use Dynamic VLAN allocation to put them into different VLAN's.
I've hit issues with my setup on the number of VLAN's but have described the setup in post below:
https://supportforums.cisco.com/thread/2086321
Hope this helps
Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: